Summary
GitHub has officially launched its passkeys security feature into general availability, following a two-month beta testing period. Passkeys enable cloud-synced authentication using cryptographic key pairs, allowing users to sign in to websites and apps with their screen-lock PIN, biometrics, or a physical security key. This technology combines the security benefits of passwords and two-factor authentication (2FA) into a single step, simplifying secure access to online services. GitHub's move aligns with industry efforts, including collaborations between major tech companies like Google, Apple, Microsoft, and the FIDO Alliance, to make passwordless logins a reality across devices, browsers, and operating systems. Passkeys are seen as a significant step in enhancing security in the software supply chain, a vital aspect of the cybersecurity landscape.
Is this webauthn? Or a custom protocol?
It is a FIDO alliance protocol. This is meant to replace/supplement password, not as 2FA. The sites I use that implement it, Google, Adobe, and Github use it to supplant both the password and 2FA. Cool thing about it is more less: 1) unphishable 2) doesn't matter if the website's passphrase data leaks.
Webauthn isn't just for 2FA, it's for user user authentication through public key cryptography. Passkeys are Webauthn, but the former is a better marketable term.